Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Iss acon2010 tomhave-navetta-final

on

  • 782 views

Tomhave and Navetta presentation at the 2010 ISSA International Conference

Tomhave and Navetta presentation at the 2010 ISSA International Conference

Statistics

Views

Total Views
782
Views on SlideShare
782
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Risk (reduced – least costs security controls) If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL. Judge Learned Hand United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir . 1947) Risk-based factors in regulations the size, scope, complexity and type of business the amount of resources available to such person the amount of sensitive data nature and scope of its activities

Iss acon2010 tomhave-navetta-final Iss acon2010 tomhave-navetta-final Presentation Transcript

  • Legally Defensible, Proactively Protected
    • David Navetta, Esq., CIPP
    • Benjamin Tomhave, MS, CISSP
  • David Navetta, Esq., CIPP
    • Founding Partner, InfoLawGroup LLP
    • Co-Chair, ABA Information Security Committee
    • Certified Information Privacy Professional (through IAAP)
  • Ben Tomhave, MS, CISSP
    • Gemini Security Solutions
    • MS Engineering Mgmt (InfoSec Mgmt)
    • Co-Vice Chair, ABA ISC
    • ~15 yrs (AOL, WF, E&Y, INS/BT, ICSA Labs)
  • “ Just the Facts”
    • Not if, but when
    • Mounting legal costs
    • Increasing regulatory burden
    SECURITY PROS WILL HAVE TO DEFEND THEIR DECISIONS IN A FOREIGN REALM: the legal world
  • The Gap is Acute
    • Collision of the legal and information security worlds
    • More regulations, more lawsuits, more contract obligations
    • Making decisions that have legal implications and interpreting legal requirements
    • Conversation is lacking or non-existent
  • Multiple Legal Regimes
    • State, Federal, International (e.g. E.U.)
      • Evolving & Overlapping laws, jurisdictions
      • Regulator / private enforcement
    • Contract law
    • Tort law
    • Securities law
  • Legal Defensibility
    • Viewing requirements from an external legal perspective (plaintiff, judge, jury, regulator)
    • Security choices become legal positions
    • Security decision-making process with legal baked in
    • The goal is to anticipate reasonably foreseeable (legal) consequences and reduce legal risks
  • Using Legal Defensibility...
    • Key Attributes
    • Real-World Examples
    • Recommended Steps
    • Action Plan
  • Sidebar: LegDef Origins
    • Survivability
      • Defensibility
      • Recoverability
    • Resilience
    • How to codify?
  • Key Attributes
    • Risk Management
    • Awareness, Understanding, Translation
    • Collaboration
    • Documentation of... decision-making processes ... key infosec decisions with potential for legal impact .
    • Attorney-client privilege
  • Real-World Examples
    • HHS: investigations v. actions http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html#seventh
    • Online banking
      • Shames-Yeakel v. Citizens Financial Bank
      • EMI v. Comerica
    • Guin v. Brazos Higher Education Service Corp. Inc.
  • PCI Interpretative Variances
    • 12.8 If cardholder data is shared with service providers , maintain and implement policies and procedures to manage service providers, to include the following:
    • 12.8.1 Maintain a list of service providers.
    • 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
    • 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement
    • 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
  • Security v. Legal Viewpoint PCI SECURITY VIEWPOINT V. LEGAL VIEWPOINT
  • Key Legal Issues
    • “ Reasonable” “Appropriate” “Comprehensive” “Adequate”
    • Risk-based factors
      • Size, scope, type, complexity of organization
      • Nature and scope of activities
      • Resources of company
      • Sensitivity of data
      • Volume of data
    • Third-party security assessments – matching risk tolerance
  • Key Legal Issues
    • What legal obligations?
    • Interpretation by courts/regulators
    • Foreseeability!
    • Plaintiff attorney strategies
    • Litigation strategy and procedure
  • Examples of Legal Obligations
    • Security “standards” under the law
    • Contract obligations
    • Service providers and outsourcing
    • Document retention and preservation
  • Indicia of Legal Compliance
    • Risk analysis and remediation
    • Comply with own policies
    • Misrepresentations
    • Specific controls
    • Vendor management
    • Compliance with standards
  • Recommended Steps
    • A champion arises!
    • Find your allies
    • Perform analysis
    • Create your strategy
    • Execute (w/ documentation!)
  • Action Plan
    • Hold key stakeholder meeting(s) and collaboration
    • Conduct information security legal audit
      • What legal requirements apply?
      • Do current security measures address those legal requirements?
  • Action Plan
    • Conduct legal defensibility analysis:
      • Develop security decision process formally incorporating legal analysis
      • Address areas of non-compliance
      • Develop legal positions on high risk legal requirements
      • Develop legal positions for “gray area” legal requirements
  • Action Plan
    • Memorialize positions and proof:
      • Document indicia of legal compliance (e.g. identify standards compliant with, documentation of due diligence, etc.)
      • Document applicable legal positions under attorney-client privilege
  • Q & A THANK YOU!
  • Contact Information
    • David Navetta, Esq., CIPP
      • www.infolawgroup.com
      • [email_address]
    • Benjamin Tomhave, MS, CISSP
      • geminisecurity.com
      • [email_address]